CyberNotes
Defense

Firewalls

Commonly used commands for configuring firewalls

Iptables

  1. Targets
    • ACCEPT - allow
    • DROP - silently drop without a response
    • REJECT - deny and send an ICMP message to indicate the denial
  2. Listing rules

Normal listing:

sudo iptables -L

With line numbers:

sudo iptables -L --line-numbers

Without reverse DNS lookup:

sudo iptables -L -n
  1. Add Rules Block port 110:
sudo iptables -A INPUT -p tcp --dport 110 -j DROP

Allow multiple ports in one rule:

sudo iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT

Allow specific source IP address:

sudo iptables -I INPUT 2 -p tcp --dport 110 --source 10.10.0.20 -j ACCEPT

Allow established and related traffic in:

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Allow new connections in on specific ports:

sudo iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -m conntrack --ctstate NEW -j ACCEPT

Allow outbound related traffic:

sudo iptables -A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow new connections on a specific port to a specific destination IP address:

sudo iptables -A OUTPUT --dest 10.10.0.20 -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
  1. Flush all rules
sudo iptables -F
  1. Change default policy
sudo iptables -P INPUT REJECT
sudo iptables -P OUTPUT DROP
  1. Delete a rule
sudo iptables -D INPUT 1

Firewalld

  1. Start the Service
sudo systemctl start firewalld
  1. Stop the Service
sudo systemctl stop firewalld
  1. Saving Current Rules
firewall-cmd --runtime-to-permanent
  1. List Rules

List all rules:

sudo firewall-cmd --list-all

List allowed services:

sudo firewall-cmd --list-services

List direct rules:

sudo firewall-cmd --direct --get-rules ipv4 filter OUTPUT
  1. Allow a Service
sudo firewall-cmd --add-port 22/tcp --add-port 80/tcp --add-port 443/tcp
  1. Remove a Service
sudo firewall-cmd --remove-service ssh --remove-service cockpit --remove-service dhcpv6-client
  1. Add a Rich Rule
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="10.10.0.10" port protocol="tcp" port="110" accept'
  1. Add Rule to Iptables
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -p tcp --dport 22 -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -j REJECT

Ufw

  1. Start the Service
sudo ufw enable
  1. Check the Service Status Basic check:
sudo ufw status

Check with line numbers:

sudo ufw status numbered

Verbose check:

sudo ufw status verbose
  1. Reset the Rules
sudo ufw reset
sudo ufw enable
  1. Block Ports Drop packets:
sudo ufw deny ssh

Reject packets:

sudo ufw reject ssh
  1. Allow Ports For all sources:
sudo ufw allow 22,80,443/tcp

For specific sources:

sudo ufw allow from 10.10.0.10/32 to any port 110
  1. Delete Rules
sudo ufw delete 2
  1. Set Default Policy
sudo ufw default deny incoming
sudo ufw default reject outgoing

Quick Reference

Commonly used commands, links, and shortcuts

Exfiltration

Commonly used methods of sending data from victim to the attacker's C2 server

On this page